A default configuration used by the Apache http server has been discovered as vulnerable to uncovering the identity of Tor users.

The Apache server’s mod_status page displays uptime, resource usage, and active HTTP requests statistics – and is only accessible from localhost. This settling was selected to enhance the security of mod_status, but Tor relay uses localhost as a web proxy to ensure that users’ location information remains private.